gpg --refresh with large keyrings and hkps in 2.1.1
ben at adversary.org
Tue Apr 21 03:19:24 CEST 2015
On 20/04/2015 7:17 pm, Guilhem Moulin wrote:
> On Thu, 16 Apr 2015 at 08:49:50 +1000, Ben McGinnes wrote:
>> On 16/04/2015 7:17 am, Daniel Kahn Gillmor wrote:
>>> Tor circuits to a particular endpoint are likely to be stable over the
>>> period of time it would take to fetch the whole keyring.
>> In a country with a decent Internet connection, sure. Over here in
>> Australia, however, you can be pretty sure that you'll hit the ten
>> minute window more than once.
> Doesn't gpg use a single connection for the whole --refresh-keys? AFIK
> the 10min windows (‘MaxCircuitDirtiness’ in the torrc) is only relevant
> for new connections; I doubt tor client kills existing TCP connections
> when updating circuits.
Hmm, that's a good point, it means the only guaranteed way around that
is one of the lesser used current work arounds (a python script using
requests and python-gnupg to get the keylist and grab keys
> To force a circuit update each 10min, you could refresh your keyring one
> key at a time. Or use a tool like parcimonie , or simply use the
> gnupg-curl module with a different SOCKS5 username/password for each key
> (assuming the ‘IsolateSOCKSAuth’ flag is set in your torrc, which is the
The requests method above definitely works, with the tor socks
settings being used like any proxy parameter is with requests.
> gpg --http-proxy=socks5h://$FPR:$RANDOM@127.0.0.1:9050 --recv-key $FPR
> Unfortunately this is broken with 2.1, because dirmngr currently doesn't
> honor --http-proxy (Issue1786).
Which means I could presumably adapt my proxychains rule to that
method in the mean time. I doubt there is much point, though, I
expect a number of these network related issues will be fixed before I
desperately need a full key refresh. Still, these bits are useful and
duly filed away for the future, cheers. :)
Hopefully one of the top ones on Werner's list is the TLS connections,
as that is almost certainly more important than an edge case like tor.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 630 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-devel